Good news from Redmond giant, Windows Defender Advanced Threat Protection is now capable of detecting behavior associated with the sophisticated FinFisher spyware.
FinFisher, also known as FinSpy malware, is a ten years old lawful interception solution built by Germany-based FinFisher GmbH, which sells it exclusively to governments.
This malware is continually evolving. Our cybersecurity researchers observed it exploiting a .NET Framework zero-day – CVE-2017-8759 – for infection.
This cybersecurity threat comes packed with various detection, evasion and anti-analysis capabilities it includes: spaghetti code, multi-layered virtual machine detection, and several anti-debug and defensive measures. Because of its advance cybersecurity evasion capabilities, the malware can be only detected by a handful of robust cybersecurity solutions, now including Windows Defender Advanced Threat Protection too. For those who want to expand their cybersecurity protection, we recommend the use of antivirus for mac or the use of antivirus for windows, depending on which OS their devices are using.
The use of virtualized instruction blocks ensure that malware analysis using conventional tools is not possible, and anti-debug and anti-analysis tricks in the virtualized code evade dynamic analysis tools as well.
Our cybersecurity researchers say that the first thing that FinFisher does is to detect sandbox environments. If all its checks go ok, the loader upload ntdll.dll, kernel32.dll, advapi32.dll, and version.dll in memory, making debuggers and software breakpoints useless.
Next, the malware performs additional anti-sandbox checks, to attempt to avoid specific sandbox or security products, and also checks for virtualized environments.
Only after all these checks are passed, the loader executes a well-known technique called Heaven’s Gate meaning that it moves the code execution from loader to memory.
Stage 3 begins with the installation of the malware, and this step no longer employs a VM or obfuscation. The malware is installed in a UAC-enforced environment with limited privileges, or with full administrative privileges enabled.
Stage 4 is a loader for UAC bypass or installation with admin rights
Stage 5 is a payload injected into explorer.exe or winlogon.exe; it does this to provide one more layer of obfuscation for the final payload and to set up a unique Structured Exception Handler routine to ensure stealthy operations.
Stage 6 is the main malware executable.
This kind of malware can affect business or individuals. So if you are a company or an individual user we recommend always to consider using a secure cybersecurity solution like an antivirus. Depending on which OS you are running opt only for an antivirus for windows or an antivirus for mac.
Big companies will have to run cybersecurity checks like penetration test and ethical hacking tests to discover and repair any cybersecurity vulnerabilities that might be present in their network. This can be quickly done by contracting professional cybersecurity services.